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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 
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earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )^ Responsive to communication(s) filed on 21 April 2005 . 
2a)S This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD, 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-20 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) 13 Claim(s) 1-20 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)^ accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

Claims 1-20 have been considered. 

Claim Rejections - 35 (JSC §102 

5 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for 

the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
10 States. 

Claims 1-7 and 10-19 are rejected under 35 U.S.C. 102(b) as being anticipated by Chambers, 
U.S. Patent No. 5,398,196. 

15. 

As per claims 1,10,11,12, and 14, the applicant discloses the following method of detecting viral 
code which is anticipated by Chambers: 

a) creating an artificial memory region spanning one or more components of the operating system 
(Col 7. line 63 to Col 8, line 21; Col 7, lines 23-28); 
20 b) emulating execution of computer executable code in a subject file (Col 3, lines 42-45); 

c) detecting when the emulated computer executable code attempts to access the artificial 
memory region (Col 8, lines 28-30); 

The applicant should note that the use of a processor is an additional limitation for claim 11. This 
limitation is met by Chambers (see Col 4, line 61). 

25 

As per claim 2, the applicant discloses the method of claim 1 , which is met by Chambers (see 
above), with the following limitation which is also met by Chambers: 
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Wherein detecting when the emulated computer executable code attempts to access the artificial 
memory region comprises monitoring operating system calls by the emulated computer executable code 
(Col 6, line 68; Col 7, lines 1-15). 

5 As per claim 3, the applicant discloses the method of claim 1, which is met by Chambers (see 

above), with the following limitations which are also met by Chambers: 

a) determining an operating system call that the emulated computer executable code attempted 
to access (Col 9, lines 13-25; Col 9, lines 44-54); 

b) monitoring the operating system call to determine whether the computer executable code is 
10 viral (Col 9, lines 13-25; Col 9, lines 44-54). 

The applicant should note that the operating system call Is the attempt to gain access to an 
operating system entry point. Through emulation of an interrupt handler routine, the method is able to 
monitor whether a virus is present. 

15 As per claims 4 and 16, the applicant discloses the method of claim 1, which is met by Chambers 

(see above), with the following limitations which are also met by Chambers: 

a) determining an operating system call that the emulated computer executable code attempted 
to access (Col 9, lines 13-25; Col 9, lines 44-54); 

b) emulating functionality of the operating system call while monitoring the operating system call 
20 to determine whether the computer executable code is viral (Col 9, lines 13-25; Col 9, lines 44-54); 

The applicant should note that the operating system call is the attempt to gain access to an 
operating system entry point. Through emulation of an interrupt handler routine, the method is able to 
monitor whether a virus is present. 



25 



As per claims 5 and 17, the applicant discloses the method of claim 1, which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 
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Further comprising monitoring accesses by the emulated computer executable code to the 
artificial memory region to detect looping (Col 10, lines 40-43); 

Applicant should note that looping is synonymous with the virus' "replicative behavior" (Col 10, 

line 43). 

As per claims 6 and 1 8, the applicant discloses the method of claim 1 , which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 

Wherein the artificial memory region spans an export table of one or more predetermined 
operating system components (Col 9, lines 13-25; Col 9, lines 44-54); 

The applicant should note that the export table of operating system components is represented 
by a list of operating system entry points" (Col 9, lines 21-22). 

As per claims 7 and 19, the applicant discloses the method of claim 1, which is met by Chambers 
(see above), with the following limitation which is also met by Chambers: 

Wherein creating an artificial memory region includes creating a custom version of an export table 
with predetermined values for the entry points (Col 9, lines 13-25; Col 9, lines 44-54); 

As per claims 13 and 15, the applicant discloses the method of claims 12 and 14 respectively, 
which are met by Chambers (see above), with the following limitations which are also met by Chambers: 

a) a fourth segment comprising auxiliary code, wherein the auxiliary code determines an 
operating system call that the emulated computer executable code attempted to access (Col 9, lines 13- 
25; Col 9, lines 44-54); 

b) a fifth segment comprising analyzer code, wherein the analyzer code monitors the operating 
system call to determine whether the computer executable code is viral, while emulation continues (Col 9, 
lines 13-25; Col 9, lines 44-54); 
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The applicant should note that the monitor described in the passages listed for a) and b) above 
could be deemed as auxiliary or analyzer code. The operating system call is the attempt to gain access 
to an operating system entry point. 

5 Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
10 the prior art are such that the subject matter as a whole would have been obvious at the time the 

invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 8,9, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Chambers in 

15 further view of Golan, U.S. Patent No. 5,974,549. 

As per claim 8, the applicant describes the method of claim 1, which is anticipated by Chambers 
(see above), with the following limitation which is anticipated by Golan: 

Further comprising monitoring access by the emulated computer executable code to dynamically 
20 linked functions (Col 6, lines 6-12; Col 5, lines 60-63); 

Chambers describes all the limitations of claim 1, the independent claim. However, Chambers 
fails to disclose anything concerning dynamically linked functions. Golan describes a security monitor 
method whereby access to dynamically linked functions is regulated because, as Golan discloses, "in an 
operating system that supports virtual memory and hardware abstraction, a software component can only 
25 breach security by calling a system call" (Col 5, lines 38-41). It would have been obvious to one of 

ordinary skill in that art at the time the invention was filed to have combined the teachings of Chambers 
with those of Golan and monitor access to dynamically linked functions because requesting access to 
dynamically linked functions could be an attempt to breach security. 
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As per claim 9, the applicant discloses the method of claim 8, which is met by Chambers in 
further view of Golan (see above), with the following limitation which is met by Golan: 

Wherein the artificial memory region spans a jump table containing pointers to the dynamically 
linked functions (Col 7, lines 31-35); 
5 Chambers in further view of Golan describes all the limitations of claim 8. Golan describes the 

additional limitation of a jump table containing pointers to the dynamically linked functions. The jump 
table is often incorporated with dynamically linked functions to store the actual addresses of the 
dynamically linked functions. It would have been obvious to one of ordinary skill in the art at the time in 
the invention was filed to have Included a jump table with the method so that there could be a way of 
10 storing the actual addresses of the dynamically linked functions. 

As per claim 20, the applicant discloses the method of claim 14, which is met by Chambers (see 
above), with the following limitation which is met by Golan: 

Wherein the artificial memory region created by the memory manager component spans a jump 
15 table containing pointers to dynamically linked functions, and the monitor component monitors access by 
the emulated computer executable code to the dynamically linked functions; 

The claim is met by the combination of claims 8 and 9. Explanations for claim 8 and 9 rejections 
are listed above. 

20 Response to Arguments 

Applicant's arguments, see Remarks filed 4/21/05, with respect to claim 1 have been fully 
considered but they are not persuasive. The applicant argues that Chambers does not disclose the 
limitations of the claim but instead discloses a system which blocks access to memory locations that are 
selected for controlled access. The examiner disagrees. Chambers discloses a monitor system which 
25 acts just like the applicant's monitor system to monitor operating system calls to detect viral code. 
Whenever an operating system call is placed to execute a program (Col 6, lines 67-68), the monitor 
system of Chambers identifies operating system components of the operating system that are to be used 



Application/Control Number: 09/905.532 Page 7 

Art Unit: 2137 

in the call and then creates an artificial memory region in which the contents of the operating system 
component which should be executed are copied (Col 8, lines 15-20). The subject file code is emulated 
so that it now accesses the remapped artificial memory region instead of the original memory region. 
Attempts to access the artificial memory region are logged for later use in determining whether the 
5 subject file may be viral (Col 8, lines 28-30). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth 
in 37 CFR 1..136(a). 

10 A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 

the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 

15 the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Kevin Schubert whose telephone number is (571) 272-4239. The examiner can normally 
be reached on M-F 8:00-5:00. 

20 If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 

Andrew Caldwell can be reached on (571) 272-3868, The fax phone number for the organization where 
this application or proceeding is assigned is 703-872-9306. 
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